bug: Push Publishing Job Management API — 4 issues in error handling and input validation

[fmontes]

Summary

During exploratory testing of the Publishing Push publishing job management REST endpoints (/api/v1/publishing/*), 4 issues were identified related to error handling consistency, input validation, and error message quality.

---

Issues Found

1. GET /api/v1/publishing/{bundleId} — XSS characters in path return Tomcat HTML instead of JSON

Severity: Low
Endpoint: GET /api/v1/publishing/{bundleId}

When the bundleId path parameter contains characters like <script>, Tomcat rejects the request at the container level and returns an HTML 400 page instead of a JSON error response. All other error cases for this endpoint return well-formed JSON.

Steps to reproduce:

curl -s "http://localhost:7070/api/v1/publishing/bundle%3Cscript%3E" \
  -H "Authorization: Bearer $TOKEN"

Expected: JSON response {"error": "dotcms.api.error.bad_request: ..."}
Actual: Tomcat HTML 400 page — <html><title>HTTP Status 400 - Bad Request</title>...

---

2. POST /api/v1/publishing/retry — Invalid deliveryStrategy exposes internal Java class name

Severity: Low
Endpoint: POST /api/v1/publishing/retry

When an invalid deliveryStrategy value is submitted, the error message exposes the internal Java class name com.dotcms.publishing.PublisherConfig$DeliveryStrategy. This is inconsistent with other validation errors on this API which return clean, user-friendly messages.

Steps to reproduce:

curl -s -X POST "http://localhost:7070/api/v1/publishing/retry" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"bundleIds":["some-bundle"],"deliveryStrategy":"INVALID_STRATEGY"}'

Actual response:

{"message":"Can not construct instance from value 'INVALID_STRATEGY': not a valid class com.dotcms.publishing.PublisherConfig$DeliveryStrategy value"}

Expected response (consistent with other endpoints):

{"error":"dotcms.api.error.bad_request: Invalid deliveryStrategy: 'INVALID_STRATEGY'. Valid values: ALL_ENDPOINTS, FAILED_ENDPOINTS"}

---

3. GET /api/v1/publishing — Out-of-range page/per_page values are silently clamped instead of returning 400

Severity: Info
Endpoint: GET /api/v1/publishing

The OpenAPI spec states valid range for per_page is 1-500 and page starts from 1. However, out-of-range values are silently clamped to the nearest valid value and a 200 is returned. The spec documents a 400 for "pagination out of range".

Input	Expected (per spec)	Actual behavior
per_page=0	400	200, clamped to perPage: 1
per_page=-1	400	200, clamped to perPage: 1
per_page=501	400	200, clamped to perPage: 500
page=0	400	200, clamped to currentPage: 1

Either the spec should be updated to document the clamping behavior, or the endpoint should return 400 for out-of-range values.

---

4. POST /api/v1/publishing/push/{bundleId} — Invalid date format bypasses validation (bundle lookup runs first)

Severity: Info
Endpoint: POST /api/v1/publishing/push/{bundleId}

When publishDate contains an invalid format (e.g. "2025/03/15 14:30:00" instead of ISO 8601), the endpoint returns 404 (bundle not found) instead of 400 (invalid date format). This happens because the bundle DB lookup executes before the date format is validated.

Steps to reproduce:

curl -s -X POST "http://localhost:7070/api/v1/publishing/push/nonexistent-bundle" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"operation":"publish","filterKey":"ForcePush.yml","environments":["env-id"],"publishDate":"2025/03/15 14:30:00"}'

Expected: 400 — invalid date format
Actual: 404 — bundle not found (date validation never reached)

Date format validation should occur before the bundle DB lookup to provide accurate feedback.

---

Test Environment

• Endpoints tested: GET /api/v1/publishing, GET/DELETE /api/v1/publishing/{bundleId}, POST /api/v1/publishing/push/{bundleId}, POST /api/v1/publishing/retry, DELETE /api/v1/publishing/purge
• Total tests run: 85
• Pass: 84 | Fail: 1 (issue update with latest SVN #1 above; issues Test Branch and Commit #2-4 are behavioral observations)

Acceptance Criteria

• GET /api/v1/publishing/{bundleId} returns a JSON error response for all invalid bundleId inputs, including those with special characters
• POST /api/v1/publishing/retry returns a clean, user-friendly error message for invalid deliveryStrategy values without exposing internal Java class names
• GET /api/v1/publishing behavior for out-of-range page/per_page is either documented (clamping) or enforced (400) — spec and implementation agree
• POST /api/v1/publishing/push/{bundleId} validates publishDate/expireDate format before performing the bundle DB lookup

[fmontes]

Here are the 10 issues found in the PublishingResource:

---

HIGH — Code bugs (confirmed by tests)

1. DELETE /{bundleId} doesn't return 404 — deleting a non-existent bundle silently returns 200. The spec says 404, the code doesn't deliver it.

2. POST /push/{bundleId} validates in wrong order — date format, filterKey, and operation case are all validated after the bundle existence check. So a request with a bad date to a missing bundle returns 404 instead of 400.

3. status query params have no machine-readable enum — valid values are listed as a prose string in the description. Swagger UI won't render a dropdown, codegen won't produce enums.

---

MEDIUM — Schema gaps

4. deliveryStrategy missing allowableValues — no enum list, no mention that it's case-sensitive. Sending "all_endpoints" (lowercase) returns 400 with no clear guidance.

5. operation case-insensitivity not documented — the code lowercases it, so "PUBLISH" works. But deliveryStrategy is case-sensitive. The two params behave differently and the docs say nothing about it.

6. Date fields missing format and timezone requirement — no format: date-time annotation, and nowhere does it say timezone offset is mandatory. A date without offset silently fails.

7. filterKey not exposed in response views — the list and detail views return filterName (the display label) but not filterKey (the identifier you need to make API calls). No way to reproduce a push from what the API returns.

---

LOW — Minor doc issues

8. Purge async behavior unexplained for API clients — the docs say "processes in background" but don't explain the result arrives via WebSocket system message. Non-browser clients will never receive it.

9. bundleId examples use wrong format — examples show a UUID+label format (f3d9a4b7-staging-bundle-2026-01-15) but real IDs are ULID (01KJWNJM2C67DM56GHBJ4S7B89).

10. EndpointDetailView.port has no format constraint — it's a required string with no pattern, range, or null check. An empty string passes.

[fmontes]

@claude fix this.

[claude]

Claude finished @fmontes's task —— View job • claude/issue-34862-20260304-1534 • Create PR ➔

---

Publishing Push Job Management API Issues Fixed ✅

Successfully resolved all 10 issues identified in the Publishing REST API endpoints.

Todo List:

• Read repository guidelines (CLAUDE.md)
• Locate PublishingResource class and related files
• Analyze current implementation and helper classes
• Fix HIGH priority issues (3 items):
  • Issue 1: DELETE /{bundleId} should return 404 for non-existent bundles (Fixed: Check bundle existence first)
  • Issue 2: POST /push/{bundleId} validation order (Fixed: Date format validation before bundle lookup)
  • Issue 3: Add machine-readable enum for status query params (Fixed: Added allowableValues to schema)
• Fix MEDIUM priority issues (4 items):
  • Issue 4: Add allowableValues for deliveryStrategy (Fixed: Added to RetryBundlesForm)
  • Issue 5: Document operation case-insensitivity vs deliveryStrategy case-sensitivity (Fixed: Added to schema descriptions)
  • Issue 6: Add format and timezone requirements for date fields (Fixed: Added format="date-time" and timezone info)
  • Issue 7: Expose filterKey in response views (Fixed: Added filterKey field to PublishingJobView)
• Fix LOW priority issues (3 items):
  • Issue 8: Document purge async behavior for API clients (Fixed: Added WebSocket notification info to docs)
  • Issue 9: Fix bundleId examples to use correct ULID format (Fixed: Changed all examples to ULID format)
  • Issue 10: Add format constraint for EndpointDetailView.port (Fixed: Added port range pattern validation)
• Additional fixes:
  • Fixed pagination validation to return 400 instead of clamping (Issue 3 related)
  • Added bundleId format validation to prevent XSS (Issue 1 related)
• Test changes with simple build
• Commit and push changes
• Create PR link

Summary of Changes:

Files Modified: 6 files

• PublishingResource.java - Main endpoint fixes, validation, and documentation
• AbstractPublishingJobView.java - Added filterKey field
• AbstractRetryBundlesForm.java - Added deliveryStrategy allowableValues
• PublishingJobsHelper.java - Populate filterKey in views
• PushBundleForm.java - Enhanced operation and date field documentation
• AbstractEndpointDetailView.java - Added port validation pattern

Key Improvements:

• Error Handling: Consistent JSON responses, proper 404/400 codes, validation order fixes
• Input Validation: XSS prevention, date format validation, pagination bounds checking
• API Documentation: Machine-readable enums, proper examples, async behavior documentation
• Schema Consistency: Exposed filterKey for API reproducibility, format constraints

---

[github-actions]

PRs linked to this issue

• fix: Publishing Push Job Management API - 10 issues resolved by @hassandotcms